Universal game server

ABSTRACT

A trusted disaster tolerant system architecture supporting concurrently a number of distributed online gaming operations such as slip-scan lottery, video lottery, fixed odd betting terminals, Internet gaming, and interactive TV. A personality front end resolves the peculiarities of the various client systems before submitting the relevant transactional payload to a trusted transactional cache. A universal game random generator may be used either at the central game server or at each individual gaming machine, thus conferring a significant trust to the entire estate of gaming machines fitted with the game random generator. An auditable trusted log allows to rapidly resolve any dispute. The instant-draw model and the differed-draw model are supported. The system may advantageously be used in casino environments.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related in subject matter to commonly assigned PCTapplication entitled “Large Scale Controlled and Secure DataDownloading” International Application No. PCT/US02/37529 filed Nov. 22,2002 and claiming priority to U.S. provisional application 60/332,522filed on Nov. 23, 2001.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to the field of online gaming as wellas interactive TV voting or gaming.

2. Copyright Notice/Permission

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings hereto: Copyright 2003, CyberscanTechnology Inc., All Rights Reserved.

3. Description of the Related Art

Internet server based merchant sites such as Amazon.com have flourishedsince the explosion of the Internet. These very high traffic sites relyon a pervasive three-tier model: web page server farm, clustereddatabase server and web browser user interaction. The transactionaloperations such as adding an item to the shopping cart and proceedingwith credit card payment may take in the order of seconds to complete.During heavy traffic, the response time deteriorates rapidly.Transactional data travels via complex paths with multiplespeed-optimization caches, via executing machines selected by cookiedriven session state management, via imposing clusters and via hugelycomplex databases. Consequently, zero-loss of data integrity isdifficult to guaranty under all possible failure modes. Occasional lossof data integrity is not critical for an online merchant and a manualprocedure may be applied to resolve customers' complains. In addition,malicious intrusion, virus contamination and distributed denial ofservice are a permanent threat.

Internet technologies have matured somewhat and are now relativelysimple to implement; solutions can be rapidly developed. Some startupcompanies are now attempting to apply experience acquired in developingmerchant Internet sites to gaming sites including, for example, offshoreInternet gaming sites. Evidently, these gaming operations are notregulated and it is not known how these systems perform in comparisonwith conventional gaming systems such as online state lotteries andonline casino slots. Lately, some companies have proposed offshoreInternet gaming systems for use in casino and national video lotteries.Disaster tolerance with no interruption of service and zero-loss of dataintegrity is not even considered.

Although Internet server technology is tempting, it is clear that theInternet server technology is unproven and that due to its hiddencomplexity, it is immensely difficult to reassure game regulators as tothe integrity and security of systems using such Internet servertechnology. Moreover, gaming laboratories that test and certify gamingsystems for compliance with stringent data integrity principles wouldneed to invest considerably in educating their engineers. The“keep-it-simple” principle is still much favored by regulators.

Currently, in order to produce random game outcome, the majority ofgaming applications use either software methods or either plug-inhardware generators. Software-only random generators (also called pseudorandom generators) are well known for their poor quality in such thatknowledge may be acquired allowing to predict the numbers. On the otherside, plug-in hardware generators have a simple interface (such asRS232, Parallel port, USB) that can be observed and spoofed. Encryptedplug-in hardware generators are significantly costly and have not madeany inroad into the gaming machines such as used in the casinos. Inaddition, encrypted hardware generators are too slow to be used forserver based random generators.

SUMMARY OF THE INVENTION

The above-mentioned shortcomings and untrustworthiness of the prior artare addressed by embodiments of the present invention, which will beunderstood by reference to the following specification.

It is an object of the present invention to offer a system architecturecapable of supporting a distributed online gaming operation such asslip-scan lottery, video lottery, fixed odd betting terminals, Internetgaming and interactive TV.

It is another object of the present invention to offer a systemarchitecture that is configured to concurrently support a number ofdistributed online gaming operations such as, for example, slip-scanlottery, video lottery, fixed odd betting terminals, Internet gaming,and interactive TV. A personality front end resolves the peculiaritiesof the various client systems before submitting the relevanttransactional payload to a trusted transactional cache.

It is another object of the present invention to offer a trusted systemarchitecture. A persistent synchronized auditable trusted log in thetrusted server cache isolated from the business server allows most anydispute to be rapidly resolved by reference thereto.

It is still another object of the present invention to offer a disastertolerant system architecture. A “N-transaction” model is proposed forthe differed-draw model, and a geographically separated load-balancingmodel is proposed for the instant-draw model.

It is yet another object of the present invention to merge trusted gametransaction technology with Internet technology in order to benefit ofthe lower cost of Internet networking.

The methods and systems disclosed herein may advantageously be used incasino environments.

Accordingly, an embodiment of the present invention is an online gamingsystem, comprising: a communication network; at least two centralservers, each of the at least two servers being coupled to the network,and at least one gaming machine coupled to the communication network,each of the at least one gaming machine being configured to carry out agame transaction for each game played and to commit each gametransaction to each of the at least two central servers.

Each of the at least two central servers may return a game transactioncommit acknowledgment to the at least one gaming machine. The gamingmachine may acknowledge to a player a validity of the game transactionupon receipt of at least one game transaction commit acknowledgmentduring a predetermined timeout period following the commit of the gametransaction to each of the at least two central servers. Each gametransaction committed to each of the at least two central servers mayhave an identical inbound game payload comprising at least one of agaming machine ID, a user/player ID, a transaction GUID, a gamingmachine originating/return address, a game ID, a game bet, and an amountwagered. The at least one gaming machine may be configured to be anactive participant in a fault tolerance of the online gaming system. Theat least one gaming machine may be configured to construct asynchronization log for rebuilding one or a plurality of the at leasttwo central servers upon failure thereof. The online gaming system maybe further configured to be rapidly synchronized by using thesynchronization log upon returning to its operational state subsequentto failing to communicate with the at least one gaming machine. Thecommunication network may be or include the Internet and a protocol totransport a payload of each game transaction may be UDP, for example.The at least two central servers and the at least one gaming machine maybe configured to support instant-draw and deferred-draw of randomevents. The at least two central servers may be geographically remotefrom one another. Each of the at least two central servers may include atrusted transactional cache, the trusted transactional cache beingconfigured to process each committed game transaction, and to providereal time persistent storage and logging of aspects of each committedgame transaction. The at least two central servers may further compriseat least one of a trusted transactional cache, a business server and alogistic support server.

According to another embodiment thereof, the present invention is anonline gaming system, comprising a communication network; at least twogeographically dispersed central servers, each of the at least twogeographically dispersed central servers being coupled to thecommunication network, at least two gaming machines, each of the atleast two gaming machines being coupled to the communication network andbeing configured to carry out a game transaction for each game played,the at least two gaming machines being configured to carry out loadbalancing when committing the game transactions to the at least twogeographically dispersed central servers over the communication network.

The load balancing may include having each gaming machine selecting onlyone of the at least two geographically dispersed central servers towhich to commit the game transaction. The communication network may bethe Internet and a protocol to transport a payload of each gametransaction may be UDP, for example. The at least two central serversand the at least two gaming machines may be configured to supportinstant-draw and deferred-draw of random events. The at least twogeographically dispersed central servers may each further comprise atrusted transactional cache, the trusted transactional cache beingconfigured to process each committed game transaction, and to providereal time persistent storage and logging of aspects of each committedgame transaction. The at least two geographically dispersed centralservers may further comprise at least one of a trusted transactionalcache, a business server and a logistic support server.

According to still another embodiment thereof, the present invention isan online gaming system, comprising: a communication network; aplurality of gaming machines, each of the plurality of gaming machinesbeing configured to carry out game transactions and being coupled to thecommunication network, and N geographically dispersed central servers,each of the N geographically dispersed central servers being coupled tothe communication network, selected ones of the plurality of gamingmachines being further configured to perform load balancing whencommitting transactions to the N geographically dispersed centralservers and selected ones of the plurality of gaming machines beingconfigured to commit game transactions to each of the N geographicallydispersed central servers.

The load balancing may include having each gaming machine selecting onlyone of the N geographically dispersed central servers to which to committhe game transaction. Each of the N geographically dispersed centralservers may be configured to return a game transaction commitacknowledgment to the gaming machine that initiated the transactioncommit over the communication network. The gaming machine mayacknowledge to the player the validity of the game transaction uponreceipt of at least one game transaction commit acknowledgment during apredetermined timeout period following the commit of the gametransaction to each of the N geographically dispersed central servers.Each game transaction committed to each of the N geographicallydispersed central servers may have an identical inbound game payloadcomprising at least a selected set of the at least one gaming machineID, the user/player ID, the transaction GUID, the gaming machineoriginating/return address, the game ID, the game bet, and the amountwagered. The communication network may include the Internet and aprotocol to transport a payload of each of the game transactions may beUDP, for example. The N geographically dispersed central servers and theplurality of gaming machines may be configured to support instant-drawand deferred-draw of random events. The N geographically dispersedcentral servers may each further comprise a trusted transactional cache,the trusted transactional cache being configured to process eachcommitted game transaction, and to provide real time, secure andpersistent storage and logging of aspects of each committed gametransaction. Each of the N geographically dispersed central servers mayfurther comprise at least one of a trusted transactional cache, abusiness server and a logistic support server.

An embodiment of the present invention is an online gaming system,comprising a plurality of gaming machines, each of the plurality ofgaming machines being configured to generate and send an inboundtransaction packet that may include an inbound transaction payloadacross at least one of a plurality of communication networks accordingto one of a plurality of communication protocols; at least one centralserver coupled to the plurality of communication networks and to each ofthe at least one central servers, the at least one central serverincluding: at least one transaction engine configured to process inboundtransaction payloads to generate corresponding outbound transactionpayloads; a personality front end, the personality front end beingconfigured to interface with each of the plurality of communicationnetworks to receive inbound transaction packets from the plurality ofgaming machines, to extract the inbound transaction payloads from thereceived inbound transaction packets, to submit the extracted inboundpayloads to the at least one transaction engine, to generate outboundtransaction packets that may include the corresponding outboundtransaction payloads and to send the generated outbound transactionpackets to a selected one of the plurality of gaming machines.

The inbound transaction payload may include at least one of a gamingmachine ID, a user/player ID, a transaction GUID, a terminaloriginating/return address, a game ID, a game bet, and an amountwagered. The personality front end may be further configured totranscode specific transaction payloads produced by the plurality ofgaming terminals into generic transaction payloads. The plurality ofcommunication networks may include at least one of dial-up, X25, FrameRelay, leased line, Internet and VPN, for example. The communicationprotocol(s) may be selected from one of proprietary, X25, TCP/IP, UDP,HTTP, XML and SOAP protocols, for example.

The present invention, according to another embodiment thereof, is agame random number generator for supplying random game numbers to agaming machine, comprising at least one hardware number generatorconfigured to provide random number seeds at a predetermined rate, andat least one pseudo-random number generator coupled to the at least onehardware number generator, the at least one pseudo-random numbergenerator being configured to generate the random game numbers from therandom number seeds generated by the at least one hardware numbergenerator.

The game random number generator may further include a first trusted logconfigured to securely log all of random number seeds generated by theat least one hardware number generator. The game random number generatormay further include a second trusted log configured to securely log allof random game numbers generated by the at least one pseudo-randomnumber generator. The at least one pseudo-random number generator may beconfigured to supply game random numbers on demand for each individualgame draw within the gaming machine. The game random number generatormay further include at least one game result assembler coupled to the atleast one pseudo-random number generator, the at least one game resultassembler being configured to receive random game numbers produced bythe at least one pseudo-random number generator and to generate rangingrandom game numbers. For example, the at least one hardware randomnumber generator may be one of a RNG of Intel 8XX series of PCmotherboard chipsets, the chipset being integrated on a motherboard of acomputer within the gaming machine; a RNG of a secure smart cardcommunicating with the computer within the gaming machine; a RNG of asecure smart device communicating with the computer of the gamingmachine; a RNG of a processor compliant with Microsoft Next-GenerationSecure Computing Base, the processor being integrated on the motherboardof the computer of the gaming machine; a RNG of a motherboard chipsetcompliant with Microsoft Next-Generation Secure Computing Base, thechipset being integrated on the motherboard of the computer of thegaming machine; a RNG of a security plug-in device communicating withthe computer within the gaming machine, and/or a RNG of an add-on cardor add-on board security device communicating with the computer withinthe gaming machine.

The present invention, according to another embodiment thereof, may alsobe viewed as a gaming system comprising at least one gaming machine; atleast one central game server coupled to the at least one gaming machineover a network, the at least one central game server including: at leastone hardware number generator configured to provide random number seedsat a predetermined rate, and at least one pseudo-random number generatorcoupled to the at least one hardware number generator, the at least onepseudo-random number generator being configured to generate, on demand,the random game numbers from the random number seeds generated by the atleast one hardware number generator.

The gaming system may further include a first trusted log configured tosecurely log all of random number seeds generated by the at least onehardware number generator. The gaming system may further include asecond trusted log configured to securely log all of random game numbersgenerated by the at least one pseudo-random number generator. The atleast one pseudo-random number generator may be configured to supplygame random numbers on demand for each individual game draw within thegaming machine. The gaming system may further include at least one gameresult assembler coupled to the at least one pseudo-random numbergenerator, the at least one game result assembler being configured toreceive random game numbers produced by the at least one pseudo-randomnumber generator and to generate ranging random game numbers. The atleast one hardware random number generator may be one of, for example, aRNG of Intel 8XX series of PC motherboard chipsets, the chipset beingintegrated on a motherboard of a computer within the gaming machine; aRNG of a secure smart card communicating with the computer within thegaming machine; a RNG of a secure smart device communicating with thecomputer of the gaming machine; a RNG of a processor compliant withMicrosoft Next-Generation Secure Computing Base, the processor beingintegrated on the motherboard of the computer of the gaming machine; aRNG of a motherboard chipset compliant with Microsoft Next-GenerationSecure Computing Base, the chipset being integrated on the motherboardof the computer of the gaming machine; a RNG of a security plug-indevice communicating with the computer within the gaming machine, and/ora RNG of an add-on card or add-on board security device communicatingwith the computer within the gaming machine.

According to another embodiment, the present invention is a gamingsystem comprising at least one gaming machine, including: at least onefirst hardware number generator configured to provide random numberseeds at a predetermined rate, and at least one first pseudo-randomnumber generator coupled to the at least one first hardware numbergenerator, the at least one first pseudo-random number generator beingconfigured to generate, on demand, the random game numbers from therandom number seeds generated by the at least one first hardware numbergenerator for each game draw performed at the at least one gamingmachine; at least one central game server coupled to the at least onegaming machine, the central game server including: at least one secondhardware number generator configured to provide random number seeds at apredetermined rate, and at least one second pseudo-random numbergenerator coupled to the at least one second hardware number generator,the at least one second pseudo-random number generator being configuredto generate, on demand, the random game numbers from the random numberseeds generated by the at least one second hardware number generator foreach game draw performed at the at least one gaming machine.

The gaming system may further include a first trusted log configured tosecurely log all of random number seeds generated by the at least onefirst hardware number generator, and a second trusted log configured tosecurely log all of random number seeds generated by the at least onesecond hardware number generator. The gaming system may further include:a third trusted log configured to securely log all of random gamenumbers generated by the at least one first pseudo-random numbergenerator, and a fourth trusted log configured to securely log all ofrandom game numbers generated by the at least one second pseudo-randomnumber generator. The first and second hardware random number generatorsmay be identical. The first and second pseudo random number generatorsmay be identical. The at least one gaming machine may be configured toselect at least one random game number for each game draw from the atleast one first pseudo-random number generator or from the secondpseudo-random number generator. The gaming system may further include atleast one game result assembler coupled to the at least one firstpseudo-random number generator or to the at least one secondpseudo-random number generator, the at least one game result assemblerbeing configured to receive random game numbers produced by the first orsecond pseudo-random number generators and to generate ranging randomgame numbers. The first or second hardware random number generator maybe one of, for example, a RNG of Intel 8XX series of PC motherboardchipsets, the chipset being integrated on a motherboard of a computerwithin the gaming machine; a RNG of a secure smart card communicatingwith the computer within the gaming machine; a RNG of a secure smartdevice communicating with the computer of the gaming machine; a RNG of aprocessor compliant with Microsoft Next-Generation Secure ComputingBase, the processor being integrated on the motherboard of the computerof the gaming machine; a RNG of a motherboard chipset compliant withMicrosoft Next-Generation Secure Computing Base, the chipset beingintegrated on the motherboard of the computer of the gaming machine; aRNG of a security plug-in device communicating with the computer withinthe gaming machine, and/or a RNG of an add-on card or add-on boardsecurity device communicating with the computer within the gamingmachine.

According to still another embodiment, the present invention may beviewed as a gaming machine configured to execute game draws whoseoutcome depend upon random game numbers, the gaming machine comprising:at least one hardware number generator configured to provide randomnumber seeds at a predetermined rate, and at least one pseudo-randomnumber generator coupled to the at least one hardware number generator,the at least one pseudo-random number generator being configured togenerate the random game numbers from the random number seeds generatedby the at least one hardware number generator.

The gaming machine may further include a first trusted log configured tosecurely log all of random number seeds generated by the at least onehardware number generator. The gaming machine may further include asecond trusted log configured to securely log all of random game numbersgenerated by the at least one pseudo-random number generator.

Another embodiment of the present invention may be defined as a gamingsystem comprising: a communication network; at least one central webserver, each of the at least one central web server being coupled to thenetwork, at least one central transaction server, each of the at leastone central transaction server being coupled to the network and, atleast one web browser based gaming machine coupled to the communicationnetwork, each of the at least one web browser based gaming machinecomprising: a standard web browser being configured to display rich pagecontent and animations of the games produced by the at least one centralweb server, and a plug-in for the standard web browser, the plug-inbeing configured to carry out a game transaction for each game playedand to commit each game transaction to the at least one centraltransaction server.

The communication network may be or include the Internet. The plug-inmay be configured to complete the game transaction upon receipt of avalidation transaction from the at least one central transaction server.The committed game transaction may include an inbound game payloadcomprising at least one of a gaming machine ID, a user/player ID, atransaction GUID, a gaming machine originating/return address, a gameID, a game bet, and an amount wagered. The validation transaction fromthe at least one central transaction server may include an outboundpacket comprising at least one of a gaming machine ID, a user/player ID,a transaction GUID, and an outcome of the game. The plug-in may befurther configured to commit each game transaction to each of the atleast one central transaction servers.

Yet another embodiment of the present invention is an on-line gamingsystem, comprising a communication network; at least two centralservers, each of the at least two central servers being coupled to thecommunication network; at least one gaming machine coupled to thecommunication network, each of the at least one gaming machine beingconfigured to carry out a game transaction for each game played and tocommit each game transaction to each of the at least two centralservers; each of the at least two central servers may include a trustedtransactional cache, the trusted transactional cache being configured toprocess each committed game transaction and each of the at least onegaming machine may be configured to actively participate in a continuedavailability of the gaming system by contributing to a building of asynchronization log such that a failed trusted transaction cache may besynchronized using the synchronization log upon the failed trustedtransactional cache returning to an operational state.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a conventional secure online transactional topology.

FIG. 2 shows a conventional transaction initiation model.

FIG. 3 shows a conventional transaction retry model, according to anembodiment of the present invention.

FIG. 4 shows a conventional end of transaction acknowledgment model.

FIG. 5 shows a conventional web server topology.

FIG. 6 shows web service with transactions captured by dialuptransactional server, according to an embodiment of the invention.

FIG. 7 shows a fast dialup transaction capture, according to anembodiment of the present invention.

FIG. 8 shows a web browser transaction engine plug-in, according to anembodiment of the present invention.

FIG. 9 shows web service with transactions committed by dialup,according to an embodiment of the present invention.

FIG. 10 shows the merging of web services and transactional services,according to an embodiment of the present invention.

FIG. 11 shows the merging of web services and Internet routedtransactional services, according to an embodiment of the presentinvention.

FIG. 12 shows an “n”-transaction model—nominal mode, according to anembodiment of the present invention.

FIG. 13 shows an “n”-transaction model—failure of one server, accordingto an embodiment of the present invention.

FIG. 14 shows an “n”-transaction model—synchronization log, according toan embodiment of the present invention.

FIG. 15 shows a “2” transaction model—server and network servertopology, according to an embodiment of the present invention.

FIG. 16 shows a “2” transaction model—distributed load replication,according to an embodiment of the present invention.

FIG. 17 shows a “2” transaction model—load failover, according to anembodiment of the present invention.

FIG. 18 shows a system architecture overview, according to an embodimentof the present invention.

FIG. 19 shows a trusted transactional cache overview, according to anembodiment of the present invention.

FIG. 20 shows a business server overview, according to an embodiment ofthe present invention.

FIG. 21 shows a logistic support overview, according to an embodiment ofthe present invention.

FIG. 22 shows a personality front-end overview, according to anembodiment of the present invention.

FIG. 23 shows 2-sites geographically dispersed load balancing, accordingto an embodiment of the present invention.

FIG. 24 shows 2-sites geographically dispersed load balancing—failover,according to an embodiment of the present invention.

FIG. 25 shows 3-sites geographically dispersed load balancing, accordingto an embodiment of the present invention.

FIG. 26 shows 3-sites geographically dispersed load balancing—failover,according to an embodiment of the present invention.

FIG. 27 shows a Universal Game Random Number Generator (RNG), accordingto another embodiment of the present invention.

FIG. 28 shows a gaming system and illustrates both localized andcentralized random game number generation using the present UniversalGame RNG, according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

In the following detailed description of exemplary embodiments of theinvention, reference is made to the accompanying drawings, which form apart hereof, and in which is shown by way of illustration specificexemplary embodiments in which the invention may be practiced. Theseembodiments are described in sufficient detail to enable those skilledin the art to practice the invention, and it is to be understood thatother embodiments may be utilized and that logical, mechanical,electrical and other changes may be made without departing from thespirit or scope of the present invention. The following detaileddescription is, therefore, not to be taken in a limiting sense, and thescope of the present invention is defined only by the appended claims.

FIG. 1 illustrates a conventional secure online transactional topology100 used for transactional business applications 114 such as banking,healthcare or retail terminals 106, lottery terminal 108, transactionalkiosk 110 and video gaming machines 112. Typically, a transactionalserver 102 communicates with online terminals 106, 108, 110, 112 via aprivate network 104. Within the context of the present invention, theterms “online terminal”, “terminal”, “game machine” and “gaming machine”and their corresponding plural forms are interchangeable and may besubstituted for one another without loss of meaning or generality.Large-scale conventional transactional systems have been conceived forslow, unreliable and expensive private networks 104 prior to theInternet era; as a result, the application layer protocols on which theyare based are somewhat simple, although exceptionally efficient and ableto fully recover from errors. The X25 protocol and derivatives thereoffor the link layer were universally favored for private networking untilsecure Internet solutions such as VPN and IPSec have become widelyavailable and trusted. When applied to new generation high bandwidthnetworks, these protocols provide ultra fast transactional services.

FIG. 2 shows a proven transaction model 200 used as application layerfor the conventional secure online transactional business andillustrates the flow of transactional information over time from theuser 202 to the terminal 204, through the network 206 to the server 208.In this model, the terminal is the “transaction master”, that is, atransaction 212 is always initiated at the terminal 204 and isterminated at the terminal by the printing or viewing of anacknowledgment or receipt, as shown at 224. The time axis 210 isoriented from top to bottom. Furthermore, as will be described later,the terminal is entirely responsible for the recovery of any error thatmay occur in the network path. In a typical transaction in which noerror occurs, a user 202 initiates a transaction 212 at a terminal 204.This transaction initiation may be the result of clicking on a submitbutton on a dialog entry form, pressing a play button on a gamingmachine or the result of a play-slip presented and scanned into alottery scanner. Upon transaction initialization, the terminal 204executes a process 214 concluded by the forwarding of a communicationpacket 216 to the network 206. The server 208 receives the inboundpacket 216 on which it executes the transaction 218. At the conclusionof transaction 218, the server 208 generates and returns an outboundcommunication packet 220 that is forwarded to the network 206. Uponsuccessful receipt of the packet 220, the terminal 204 examines theserver acknowledge signal received at 222. Upon successfulidentification of the server acknowledge signal, the terminal issues areceipt 224 to the user 202 or alternatively displays the receipt.

In general, the series of actions and/or processes initiated by a user(or an equivalent automated process) leading to the forwarding of aninbound transaction packet to the transaction server is called“committing a transaction” or “a transaction commit”.

In order to make a distinction with the “N” transaction model that willbe detailed later in this document, the conventional model 200 of FIG. 2is called the “One” transaction model. FIG. 3 illustrates a proven retrymodel 300 used for the conventional secure online transactionalbusiness. The terminal will continually keep retrying to send atransaction commit until a server acknowledgement is received. In thisextremely simple error recovery model, it is not necessary to know whereexactly the failure has occurred. The failure may have occurred at anypoint along the path of the transaction. FIG. 3 shows the case in whichthree recovery attempts are made. The user 302 initiates a transaction312, then the terminal 304 executes the process 314, whereupon acorresponding transaction packed is forwarded at 316 to the network 306.

It is now assumed that a failure along the network path 306 prevents theserver 308 from receiving the inbound packet at its interface, as shownat 318. After a predetermined time-out, the terminal 304 determines thatno server acknowledgement has been received. Consequently, the terminal304 re-sends the transaction packet (retry #1 320) that is forwarded at322 to the network 306.

Another failure along the network path 306 now prevents the server 308from receiving the inbound packet at its interface, as shown at 324.After a predetermined time-out, the terminal 304 again determines thatno server acknowledgement has been received, and again re-sends thetransaction packet (retry #2 326) that is forwarded at 328 to thenetwork 306.

A third failure along the network path 306 now prevents the server 308from receiving the inbound packet at its interface, as shown at 330.After a predetermined time-out, the terminal 304 again determines thatno server acknowledgement has been received, consequently, it re-sendsthe transaction packet (retry #3 332) that is forwarded at 334 to thenetwork 306.

The server 308 receives the inbound packet 334 on which it executes thetransaction, as shown at 336. At the conclusion of process 336, theserver generates and returns an outbound communication packet 338 thatis forwarded to the network 306. Upon successful receipt of the packet338, the terminal 304 executes process 340 and examines the serveracknowledge signal 341. Upon successful identification of the serveracknowledge signal, the terminal issues a receipt 342 to the user 302 oralternatively displays the receipt.

Should a duplicate server outbound packet be received by the terminal,because for example of excessive time delay in the communication linkwhich triggered the terminal to initiate a retry, the duplicate orduplicates packets are simply ignored.

FIG. 4 illustrates a proven acknowledgment model 400 used for theconventional secure online transactional business. Error recovery is notshown; however, it will be appreciated by those of skill in the art thatthe “retry” principles illustrated in FIG. 3 are immediately applicable.Each individual terminal transaction commit is completed when a “serveracknowledgment” is received from the central server. On the other side,the server 408 needs be informed that the terminal 404 has indeedreceived its acknowledgment. For this, a “terminal acknowledgment” issent to the central server 408 together with the next terminaltransaction commit. A special end-of-session transaction (user generatedor automatically generated) is forwarded by the terminal 404, at the endof the day for example, to resolve the ambiguity if or when the terminal404 no longer sends normal transaction commits.

FIG. 4 shows three successive normal terminal transaction cycles (1)413, (2) 431, (3) 451, followed by an end-of-session (4) 471 cycle. Thearrow 410 indicates the passage of time.

Cycle (1) for the first transaction is exactly as described in FIG. 2.The user or an automated process initiates the transaction at 412, afterwhich the terminal executes a process 414 concluded by the forwarding ofa communication (transaction) packet 416 to the network 406. Thecommunication packet is received by the server 408 at 418, whereupon theserver 408 executes transaction #1, as shown at reference 420. Theserver 408 sends an acknowledgment S-Ack#1422 through the network 406,as shown at 424. The terminal 404 then receives the S-Ack#1 at 426. Theletter “S” in S-Ack means that it is a “server” acknowledgment. Theterminal 404 may then print or otherwise provide the user 402 with areceipt of the completed transaction, as shown at 428.

In cycle (2), a second transaction 430 is initiated by the user 402. Theterminal 404 executes process 432 in which it assembles the transactionpacket for the second transaction 430 with the addition of a terminalacknowledgment T-Ack#1 433 for the first transaction 412. The letter “T”in T-Ack means that it is a “terminal” acknowledgment. The terminalacknowledgment T-Ack#1 is simply to inform the server 408 thattransaction cycle (1) did indeed complete successfully, meaning that theterminal did successfully print or display receipt#1, as shown at 448.The transaction packet for the second transaction is forwarded at 434through the network 406 and received by the server 408, as shown at 436.T-Ack#1 is received by the server 408 at 438, and the server 408executes transaction #2, as shown at reference 440. The server 408 sendsan acknowledgment S-Ack#2 442 through the network 406, as shown at 444.The terminal 404 then receives the S-Ack#2 at 446. The terminal 404 maythen print or otherwise provide the user 402 with a receipt of thecompleted transaction, as shown at 448.

It is to be noted that a terminal acknowledgment to inform the server ofthe success of the previous terminal transaction is differed until thenext transaction cycle. This way, we do not end up in an endless trainof “acknowledging-the-acknowledge” that would rapidly jam the network.However, it will be appreciated by those of skill in the art that apredetermined timeout may be set to let the terminal return the terminalacknowledgment signal to the server after a predetermined time, in casethere is a long period of user inactivity at the terminal.

In cycle (3), a third transaction 450 is initiated by the user 402. Theterminal 404 executes process 452 in which it assembles the transactionpacket for the third transaction 450 with the addition of a terminalacknowledgment T-Ack#2 453 for the second transaction 430. The terminalacknowledgment T-Ack#2 informs the server 408 that transaction cycle (2)did indeed complete successfully, meaning that the terminal didsuccessfully print or display receipt#2, as shown at 448. Thetransaction packet for the third transaction is forwarded at 454 throughthe network 406, and received by the server 408 at 456. T-Ack#2 isreceived by the server 408 at 458, and the server 408 executestransaction #3, as shown at reference 460. The server 408 sends anacknowledgment S-Ack#3 462 through the network 406, as shown at 464. Theterminal 404 then receives the S-Ack#3 at 466. The terminal 404 may thenprint or otherwise provide the user 402 with a receipt of the completedtransaction, as shown at 468.

In cycle (4), a special end-of-session transaction 470 (user generatedor automatically generated) is forwarded at 472 by the terminal 404through the network 406 as shown at 474 to the central server 408, asshown at 476. At 478, T-Ack#3 is received by the server 408, as is theend-of-session transaction, as shown at 480. The purpose of the specialend-of-session transaction 470 is simply to inform the server 408 that,at the previous cycle, receipt#3 468 has been successfully printed orviewed. Upon examination of T-Ack#3 at 478, the central server 408executes an End-Of-Session process as shown at 480 that brings to an endthe acceptance of further transaction commits from the terminal 404. Theserver returns an S-EOS signal at 482 through the network 406 to theterminal 404, as shown at 486. The terminal 404 then prints, displays orotherwise provides and End-Of-Session message 488 to the user 402.

Although the server will not be immediately informed that the terminalhas successfully completed the printing or displaying of theEnd-Of-Session message 488, it will be appreciated by those of skill inthe art that a terminal acknowledgment may be received at a later time,for example the next day when the user logs-in again at the terminal tocommence transactional activity. In this manner, the server will clearthe doubts on whether or not the terminal has successfully completed theEnd-Of-Session cycle the previous day.

FIG. 5 illustrates a conventional Internet commerce topology 500 for PCusers, mobile users and home users. The web farm and relational databaseserver are not shown for simplicity. In the case of, for example,merchant sites such as Amazon.com, a large number of home users 502 andmobile users 504 are connected to a web server 506 via the Internet 508.Home users 502 may typically make a purchase using a home PC 516 or a TVInternet appliance such as WebTV 518, for example. Mobile users 504 maymake purchases via a WAP enable telephone 520, a palmtop device 522, alaptop or other mobile computer 524, for example.

These very high traffic sites rely on the pervasive three-tier model:web page server farm, clustered database server and web browser userinteraction (the web farm and relational database server are not shownfor simplicity). The transactional operations such as adding an item toa shopping cart and proceeding with credit card payment may take on theorder of seconds to complete. During heavy traffic, the response timedeteriorate rapidly. Transactional data travel via complex paths withmultiple speed-optimization caches, via executing machines selected bycookie driven session state management, via imposing clusters, viahugely complex databases; consequently, zero-loss of data integrity isdifficult to guarantee under all possible failure modes. Occasional lossof data integrity is not critical for an online merchant as manualprocedures may be applied to resolve customers' complaints. In addition,malicious intrusion, virus contamination and distributed denial ofservice are a permanent threat.

Internet technologies have matured and are relatively simple toimplement; solutions can be rapidly developed. Some startup companiesare now attempting to apply the experience acquired in developingmerchant Internet sites to gaming sites such as offshore Internet gamingsites, for example. Evidently, these gaming operations are not regulatedand it is not known how these systems perform in comparison withconventional gaming systems such as online state lotteries and onlinecasino slots. Lately, some companies have proposed offshore Internetgaming systems for use in casino and national video lotteries. Disastertolerance with no interruption of service and zero-loss of dataintegrity is not even considered.

Although the use of conventional Internet server technology is tempting,it is clear that the Internet server technology is unproven. Moreover,due to the hidden complexity of Internet server technology, it isimmensely difficult to reassure game regulators. In addition, gaminglaboratories that test and certify gaming systems for compliance withstringent data integrity principles would need to invest considerably ineducating their engineers in such technologies.

Consequently, the major drawback of such “all-Internet” topologies isthe inability to support fast and trusted transactional applicationsthat require a turn around time at server of less than 100 millisecondsand with a traffic load of tens of thousand of transactions per seconds.

FIG. 6 illustrates a topology 600 that merges Internet technology withdialup transactional techniques, according to an embodiment of thepresent invention. As shown, the rich content to be displayed to theusers 606, 614 is handled by the web server 602 while the transactionaltraffic is handled via fast dialup access. The advantage of using thedialup access is that the telephone network is capable of simultaneouslyand reliably handling a huge number of user connections, especially ifthe connection time is limited to a few seconds only. Moreover, thetransactional server 624 is designed in accordance with the conventionalsecure online transactional principles discussed above. This fast dialupapproach in combination with a moderately scaled-up transactionalserver, may offer transactional performance of one million transactionsper second, as shown at 634. This order of performance may be requiredwhen considering interactive TV applications whereby tens of millions ofviewers may wish to participate in an instant voting or instant purchasewhile they watch an event on TV. The sluggishness of the web page updatedoes not jeopardize the user instant voting or purchase experience. Forinstant purchasing, the interactive TV operator may use the 1-clickmodel of Amazon.com, for example, whereby the user's payment means havebeen pre-approved.

The mobile users 606 using such devices as shown at 608, 610 and 612,the home users 614 using such devices as shown at 616 and 618 and webserver 602 are connected to the Internet 604 and may operate asdescribed relative to FIG. 5. In addition to Internet access 620, 622,home users 614 are be able to link-up to a transactional server 624 withdirect dial-up 628 630, 626, 632. With such a topology, home users 614route the transactional traffic through the dialup network to thetransactional server 624 assuming a fast dialup technique holding theline for a few seconds only (fast dialup described herein below);consequently, a performance in the order of, for example, about 1million transactions per second is easily achievable, as suggested at634.

FIG. 7 illustrates a model 700 for a fast dialup establishment, atransaction commit, a server acknowledge, and then the release of theline. Arrow 716 indicates the passage of time. With adequately tunedcommunicating equipment, a fast dialup transaction cycle may beperformed in less than one second. For this, the transactional terminal704 may be a home PC 616, a game appliance 616, an Internet appliance616 or a TV appliance 618 that is equipped with a telephone modem 706.The central server 714 interfaces to the dialup network 708, 710 via aRemote Access Server (RAS) 712. The RAS 712 is equipped with a largenumber of modems capable of interfacing with the PCs' modem or TVAppliances' modem. The fast dialup transaction cycle may be carried outas follows: the user 702 initiates a transaction at 718, the terminal704 executes the transaction initiation process at 720, and controls itsmodem 706 to dial-up 722 the RAS 712. Once the link is established, theterminal 704 delivers the transaction packet(s) to the network 710, asshown at 724. The packet(s) transits at 726 through the network 710 andis delivered to the RAS 712. The RAS then dispatches the packet(s) tothe server 714, as shown at 728. The server 714 executes the transactionas shown at 730 and returns an acknowledgment S-ACK at 731 that isforwarded back to the terminal 704 via the path 732, 734, 736, 738 and740. As soon as the terminal 704 has examined the server acknowledgmentS-ACK, it may send a command 744 to the modem 706 to hang-up the line,as shown at 746. The transaction receipt may then be displayed orprinted for the user 702, as shown at 742.

For example, the Nortel CVX 1800 Access Server and the Cisco AS5850Access Server are each capable of holding 2688 modem connections perchassis. Four (4) Nortel CVX 1800 chassis can fit in a standard 42Urack/bay and three (3) Cisco AS5850 chassis can fit in a standard 42Urack/bay. Assuming 4 chassis per bay, 100 bays (or 400 RAS chassis, or atotal of 1,075,200 dialup interfaces) and a fast dialup time of 1second, a total of approximately 1,000,000 transactions can be madeevery second. These bays may be geographically distributed in order tobalance the traffic produced by the geographically dispersed TV viewersor users. This amount of equipment is not unreasonable to achieve suchhigh transactional performance. In comparison, the Google search enginerelies on over 15,000 servers or 180 bays (80 hundred servers per bay)in order to provide an under 1 second “Read-Only” service at a maximumof 1,000 queries per second.

Moreover, Nortel CVX 1800, Cisco AS5850 or equivalent remote accessequipment are universally used by all telecom providers. This remoteaccess equipment may communicate with a central transactional server viahigh-speed links. Consequently, a very large-scale fast dialuptransactional capture system may be implemented in a relativelystraightforward manner.

FIG. 8 illustrates the transactional engine plug-in 800 that supportsthe transactional traffic between the user web browser session and thecentral transactional server. Browser plug-ins are custom developedapplications that obey a predefined web browser Application ProgramInterface (API) to make specific services available when the userinteracts with the web browser 802. Examples of commonly availableplug-ins include the Flash player 804 from Macromedia, the Acrobat PDFreader 806 from Adobe, the media player plug-in from Microsoft 808, theAlternaTIFF plug-in 810 from Medical Informatics Engineering allowing,for example, viewing of USPTO patent pages provided in the TIFF format.These plug-ins are usually downloaded when the user navigates on theInternet using the web browser 802. For security reasons, the user isusually asked to authorize or deny the download and installation of suchplug-in. Code signing or authenticode technology may be used to identifythe software provider.

The transaction engine plug-in 812 is an object of this invention inthat it allows carrying out fast dialup transaction cycles independentlyof the web server that is serving the web browser pages. When the userpresses the submit button in his browser, the transaction engine plug-in812 takes over the processing. Later in this document, another exemplaryimplementation of the transaction engine plug-in 812 will be described,which makes use of UDP protocol to perform the transaction cycle.

FIG. 9 is a flowchart 900 illustrating a transaction commit via dialupwhile the user is engaged in a web browser session. It is to be notedthat if the user Internet link is already used by the web browsersession (user telephone line), this link may be cut to enable fastdialup access directly to the central transactional server andtransaction commit. When the transaction is completed, which may onlytake a few seconds, the Internet link may be re-established with theoriginal web browser session.

Hereafter is an example of a transaction commit via dialup whereby auser makes a purchase. It is assumed that the user's PC or TV appliance(thereafter the terminal) is equipped with a dialup modem connected tothe telephone line. The purchase may be, for example, an item to bedelivered, a service or a vote. The flowchart begins at 902. Typically,a user engages into a web browser session at 908 after connection to anISP (Internet Service Provider) at 904 and connection to a web server at906. Should the user find something of interest to purchase as suggestedby the YES branch 914 at 910, the user may enter his or her choices 916,enter the payment details (could be a 1-click model) at 918 and thenpress the submit button 920, as suggested by YES branch 924. If the userhas not decided to purchase anything (or enter a vote, for example), heor she may continue to browse, as shown at 912. If the user does notpress the submit button at 920, as suggested by the NO branch 922, theuser may continue to browse and may be returned to 908.

If it is determined at 926 that the connection to the ISP is via themodem 928 (that is, not thought xDSL or cable modem), the transactionengine plug-in 812 may cut the communication with the ISP by hanging-upthe line at 930, as shown by YES branch 928. If it is determined thatthe connection to the ISP is via a broadband connection (e.g., xDSL orcable modem), the NO branch 932 is taken and the terminal initiates afast dialup at 934 to connect to the transactional server 714 (or TSPTransaction Service Provider). Once the link is established, theterminal sends the transaction packet(s), as shown at 936. Uponacknowledgement from the server at 938, the terminal may proceed throughYES branch 948 and cut the communication with he transaction serviceprovider (TSP) at 950 by hanging the telephone line and may then printor display a transaction receipt 952. Should an acknowledgement from theserver not be received at 940 after a time-out 946 (NO branch 940), theterminal will return to step 938 (NO branch 944 until the expiration ofa predetermined time out 942. When the time out 942 elapses (YES branch946), the terminal may return to step 936 to retry sending thetransaction. Finally, the transaction engine plug-in 812 re-establishesconnection with the ISP at 954 (if link was cut at 930) and relinquishescontrol to the web browser, as shown at 956.

FIG. 10 illustrates a model 1000 that merges of web services and secureonline transactional services, according to an embodiment of the presentinvention. Transaction services offered by the transactional server 1002for conventional transactional business users 1008 is via privatenetwork 1010 while transaction services for mobile 1012 and home users1014 is via fast dial-up 1022, 1024, 1026, 1028, 1030, 1018, and 1020.Web page services are provided for mobile 1012 and home users 1014 viathe Internet 1016 and the web server 1004. The web server 1004 and thetransactional server 1002 are synchronized via a fast dedicated link1006.

FIG. 11 illustrates a model 1100 for the merging of web services andInternet routed transactional services, according to an embodiment ofthe present invention. Transactional services (the solid links 1120,1122, 1124, 1126) for transactional business users 1118 and transactionservices (the solid links 1132, 1138, 1144, 1152, 1158) for mobile 1128and home 1148 users are via a transaction tunnel through the Internet1108. Transactional server 1102 is at IP address IP1, referenced at1112. Rich web page content updates for mobile 1128 and home 1148 usersmay be carried out via conventional TCP/IP and HTTP protocols, forexample (as indicated by the dotted links 1134 1140 1146 1154 1160 1114)controlled by the web server 1104 at IP address IP2, referenced at 1116.

The transactional tunnel referred to above may be as described incommonly assigned Large Scale Controlled and Secure DataDownloading—Application Ser. No. 60/332,522 and PCT/US02/37529 filedNov. 22, 2002. The transaction tunnel may use the UDP protocol. Thetransaction tunnel may also be a secure tunnel such as VPN or IPSec. Theweb server and the transactional server may be synchronized via a fastdedicated link 1106.

FIG. 12 shows an “N”-Transaction Model 1200—Nominal Mode, according toan embodiment of the present invention. As show therein, a terminal 1204commits simultaneously a transaction to several geographically spacedcentral servers. For simplicity, the diagram shows the exemplary casefor 3-servers/3-transactions. Error recovery (retry model) is not shownin case of a failure anywhere outside the terminal boundary. However, itwill be appreciated by those of skill in the art that extension toN-servers/N-transactions is straightforward subsequent to examining thediagram and the associated detailed description. In the same manner,implementing the “One” transaction model depicted in FIG. 2, the Retrymodel depicted in FIG. 3 and the Acknowledgment model shown in FIG. 4 isalso straightforward.

The transaction cycle may proceed as follows. Arrow 1209 indicates thepassage of time. Upon a user 1202 initializing a transaction 1216, theterminal 1204 executes the process 1218 to prepare a transactionalpacket and duplicates the prepared transactional packet into 3 separatepackets Xa 1220, Ya 1222 and Za 1224. The Xa packet is destined forserver X 1210, Ya is destined for Server Y 1212 and packet Za isdestined for server Z 1214. As a whole, the three packets are identicalexcept for the destination address and for the forwarding of previousacknowledge signals to/from the servers. Each of the three transactionpackets Xb 1226, Yb 1228 and Zb 1230 travels through the network 1206and is delivered as inbound packet to the respective servers X 1210, Y1212 and Z 1214. Each server receives the inbound packets at 1232, 1234and 1236. After examination of the inbound packet for integrity andcorrectness of the originating terminal source address, each serverexecutes the same transaction on the received inbound packets at 1238,1240, 1242 and upon completion, returns an outbound packet Xd 1244, Yd1246 and Zd 1248 each destined to the originating terminal 1204.

The receipt is printed (or viewed) at 1258 immediately upon receiving anacknowledgement from any one of the three servers. Upon receiving afirst outbound packet (containing a server acknowledgment) from one ofthe three server X, Y or Z (Xe 1250 in this diagram), containingacknowledgment of server X at 1252, the terminal 1204 views or print areceipt 1258. The terminal may also take note of the arrival of theacknowledgments 1254 and 1256 from servers Y and Z.

FIG. 13 illustrates at 1300 the case wherein one of the paths betweenthe terminals and the servers experiences a failure and shows that suchfailure does not have an impact upon the transaction cycle. Theunsuccessful arrival after a predetermined time-out of an acknowledgmentfrom the X server is simply noted in a failure log by the terminalre-synchronization application. Arrow 1309 represents the passage oftime.

The transaction cycle is identical to that described relative to FIG.12, except that in the illustrative transaction of FIG. 13, the terminaltransaction packet Xb 1326 never reaches server X 1310. Upon a user 1302initializing a transaction 1316, the terminal 1304 executes the process1318 to prepare a transactional packet and duplicates the preparedtransactional packet into three separate packets Xa 1320, Ya 1322 and Za1324. The Xa packet is destined for server X 1310, Ya is destined forserver Y 1312 and packet Za is destined for server Z 1314. Overall, thethree packets are identical except for the destination address and forthe forwarding of previous acknowledge signals to/from the servers.

In FIG. 13, either the packet Xb got lost as suggested at 1328 duringits transit via the network 1306 or the server X is unavailable as shownat 1334. The exact location of or the reason for the failure 1311 isunimportant. The two inbound packets Yb 1330 and Zb 1332 are received bythe servers Y and Z at 1336 and 1338. Transactions on the receivedinbound packets are then carried out at 1340, 1342 by the two servers Yand Z, and outbound packets Yd 1344 and Zd 1346 are returned to theterminal 1304.

The receipt is printed (or viewed) at 1354 immediately upon receiving anacknowledgement from any one of the two operational servers Y or Z. Uponreceiving a first outbound packet (containing a server acknowledgment)from one of the two server Y or Z (Ye at 1348 in this diagram),containing acknowledgment from server Y at 1350, the terminal 1304 viewsor print a receipt at 1354. The terminal 1304 takes note of the arrivalof acknowledgment 1352 from server Z, and after a predetermined timeout,takes note that no acknowledgment has been received from server X 1310for the current transaction cycle and that server X may not havereceived the transactional packet Xb sent by the terminal 1304. Theterminal may simply keep a log of the identifier for the missingtransaction acknowledgment. That the server X may not have received thetransactional packet sent by the terminal and thus may lack data will beremedied in a synchronization operation at a later stage.

Consequently, in the above-described transaction cycle, the failure tocommunicate with one of the three servers has no impact for a usercarrying out a normal transaction operation. The terminal is an activeparticipant in the resynchronization subsequent to a failure in atransactional path.

It will be also appreciated by those of skill in the art that theillustrated transaction processing may readily be extended toN-servers/N-transactions. In the same manner, implementing the “One”transaction model depicted in FIG. 2, the Retry model depicted in FIG. 3and the Acknowledgment model depicted in FIG. 4 is also straightforward.

This N-servers/N-transactions model whereby servers are separated by asignificant distance has the advantage of providing extreme resiliencefor non-stop disaster tolerance.

FIG. 14 illustrates at 1400 the construction of a synchronization log byan operational server in the case of failure of another server orfailure of its network path with the terminals. For simplicity, thediagram of FIG. 14 shows the case for two-servers/two-transactions.Error recovery (retry model) is not shown in case of a failure anywhereoutside the terminal boundary. Arrow 1410 indicates the passage of time.

Transaction cycle (1) 1415 is identical to the transaction cycleillustrated in FIG. 13, apart from the fact that only a two-transactionmodel is shown and server Z together with its associated data path toand from the terminal is ignored. Upon a user 1402 initializing atransaction 1416, the terminal 1404 executes the process 1418 to preparea transactional packet and at duplicates the prepared transactionalpacket into two separate packets X1 a at 1420 and Y1 a at 1422. The X1 apacket is destined for server X 1412 and Y1 a is destined for server Y1414. Overall, the two packets are identical except for the destinationaddress and for the forwarding of previous acknowledge signals to/fromthe servers.

In FIG. 14, either the packet X1 b 1424 got lost as suggested at 1426during its transit via the network 1406 or the server X is unavailableas shown at 1430. The exact location of or the reason for the failure1426 is unimportant. The inbound packet Y1 b 1428 is received by theserver Y at 1432. A transaction on the received inbound packet is thencarried out by server Y at 1432 and an outbound packet Y1 d 1436 isreturned to the terminal 1404. Upon receiving outbound packet(containing a server acknowledgment) Y1 e at 1438 from server Y, theterminal 1404 views or print a receipt at 1442.

The terminal 1404 has taken note of the arrival of acknowledgment S-ACKY1 1440 from server Y, and after a predetermined timeout, takes notethat no acknowledgment has been received from server X for thetransaction cycle (1) and that in consequence, server X may be lackingthe transactional packet for cycle (1) sent by the terminal 1404.

In transaction cycle (2) 1443, user 1402 initializes transaction #2 at1444 and the terminal 1404 executes the process 1446 to prepare atransactional packet and at 1446 duplicates the prepared transactionalpacket into two separate packets X2 a at 1450 and Y2 a at 1452. The X2 apacket is destined for server X 1412 and packet Y2 a is destined forserver Y 1414. Overall, the two packets are identical except for thedestination address and for the forwarding of previous acknowledgesignals to/from the servers. As shown in FIG. 14, a NO S-ACK X1(information to the effect that no Acknowledgment from server X wasreceived in previous transaction cycle) is added to the transactionpacket 1446, as shown at 1448.

In FIG. 14, either the packet X2 b 1454 got lost as suggested at 1456during its transit through the network 1406 or the server X is stillunavailable, as shown at 1413. The exact location of or the reason forthe failure 1456 is unimportant. The inbound packet Y2 b 1458 isreceived by the server Y at 1462. A transaction on the received inboundpacket Y2 c is then carried out by server Y at 1464. Upon receipt andexamination of the received inbound packet at 1462 by server Y 1414, theSYNC Y2 d and NO S-ACK X1 1468 information is forwarded at 1466 to thesynchronization engine 1409 Y 1415 located at server Y, is received bythe synchronization engine 1409 at 1470. The synchronization engine ofserver Y 1415 keeps a log of the identifiers of all the missingtransactions that were not received by server X 1412, as shown at 1472and then generates an acknowledgment signal SYNC Y2 f ACK SYNC X1 1474to confirm that the logging has been successful and sends theacknowledgment back to the terminal 1404 through the network 1406, asshown at 1476. The terminal 1404 received the acknowledgment at 1478,including the SYNC Y2 f ACK SYNC X1 information at 1480.Resynchronization of the data-lacking server X 1412 is discussed below.A receipt may then be provided to the user 1402, as shown at 1482.

It will be also appreciated by those of skill in the art that extendingthe model detailed herein relative to FIG. 14 toN-servers/N-transactions is straightforward. In the same manner, the“One” transaction model depicted in FIG. 2, the Retry model depicted inFIG. 3 and the Acknowledgment model depicted in FIG. 4 may also bereadily implemented. Such an N-servers/N-transactions model wherebyservers are separated by a significant distance has the advantage ofproviding extreme resilience for non-stop disaster tolerance.

FIG. 15 illustrates at 1500 the manner in which how two transactions maybe committed to two geographically dispersed servers, and how the twocentral servers may be resynchronized following a failure in thetransaction path. The synchronization engines use the synchronizationlog established by the terminal that noted the missing serveracknowledgments. As shown therein, terminals 1502, 1504, 1506, 1508,1510, 1512 and 1514 are coupled to the network 1520 via communicationpaths 1522, 1524, 1526, 1528, 1530, 1532 and 1534, respectively. Thecommunication paths from the network 1520 to the server X 1516 and tothe server Y 1518 are shown at 1536 and 1538, respectively.

FIG. 15 shows the N-transaction cycle as expressed in FIGS. 12, 13 and14 from a different perspective. In the case of atwo-servers/two-transactions model, a terminal 1506 may forward atransaction packet Tx 1542 to the central server X 1516 via the networkpath 1540 that transits through the (e.g., Internet) network path 15261520 1536, as a UDP (User Datagram Protocol, a transport layer protocoloptimized for small data packets and used by real time applications)packet, for example. In the same manner, the terminal 1506 may forward atransaction packet Ty 1548 to central server Y 1518 via the network path1544 that transits through the network 1526, 1520, 1538, as a UDPpacket, for example.

Synchronization engine 1550 located at server X 1516 and synchronizationengine 1552 located at server Y 1518 may communicate with one anothervia a synchronization link 1554, or alternatively, via anotherpredetermined network connection. Whenever one of the synchronizationengines starts building a synchronization log as a result of a terminalnotification to do so, for example as shown in FIG. 14 in which server Xis unreachable by the terminal 1404, server Y contacts server X throughthe synchronization link 1554. If server X is operational, server Yforwards all the transactional information from the terminal that serverX has not received because of failure. As a result, server X nowcontains the same terminal transactional data as server Y. On the otherhand, if server X is still not operational, server Y 1518 keeps retryinguntil the resynchronization of server X 1516 is completed. Once theresynchronization is completed, the overall system resilience isreturned to its nominal availability, and any of the servers orassociated link with the terminal may fail without causing anyinterruption of service at the terminal. It will be appreciated by thoseof skill in the art that the topology shown in FIG. 15 may readily beextended to the N-servers/N-transactions case.

FIG. 16 illustrates load replication at 1600 in the case of atwo-transaction model and two-POPs (Point Of Presence). Depending on thewide area communications means made available by the network or Internetservice provider, a preferred network topology such as depicted indiagram 1600 may be proposed such as to offer excellent resilience incase of a severe failure of part of the network while all the serversare kept in reach of the terminals. FIG. 16 illustrates the case whereinthere is no failure. FIG. 17 illustrates what happens when the networkbehind a POP is inoperative.

Thanks to the N-transaction model, each terminal may be configured tosend a duplicate transaction commit to any central server in accordancewith a destination address determined by a network management unit (forexample 2114 in FIG. 21). In addition, the terminal may be given apredetermined POP (Point Of Presence) to connect to in order to accessthe network. As instructed by the network management unit, The terminalmay, for load balancing reason or because of network failure, connect toanother POP at any time. POPs usually connect to a network backbone suchas the Internet backbone. The central servers may connect directly tothe backbone or via a POP or a plurality of POPs.

In the following detailed description of exemplary embodiments of theinvention, reference is made to FIG. 16, in which specific exemplaryembodiments are shown. The network management unit has configured thenetwork segment #1 1601 such that 50% of the terminals 1604, 1606, 1608,1612, 1614 and 1616 are connected to POP #1 1620 and has configured thenetwork segment #2 1611 the other 50% of terminals (which may be orinclude gaming machines (GM), for example) 1604, 1606, 1608, 1612, 1614and 1616 to POP #2 1622. To give an order of magnitude, consider a totalnumber of 100,000 terminals geographically distributed over a largestate such as Texas. Therefore, each POP handles the traffic coming from50,000 terminals or 50% of the overall terminal connections and datatraffic. However, by network design, each POP is preferably capable ofhandling double this capacity. That is, each POP is preferably capableof handing all of the connections and traffic from all 100,000terminals.

As shown in FIG. 16, central server X 1624 receives the transactionpackets X 1650, 1654, 1658 (the solid links) from network segment #11601 via POP #1 1620 and link 1628 (50% of the overall traffic, as shownat 1630) as well as the transaction packets X 1662, 1666, 1670 (thesolid links) from network segment #2 1612 via POP #2 1622 and link 1636(the other 50% of the overall traffic, as shown at 1638). Consequently,central server X receives 100% of the transaction traffic generated byall the terminals (network segment #1 1601+segment #2 1602), as shown at1644.

In the a similar manner, central server Y 1626 receives the transactionpackets Y 1652, 1656, 1660 (the dotted links) from network segment #11601 via POP #1 1620 and link 1632 (50% of the overall traffic, as shownat 1634) as well as the transaction packets Y 1664, 1668, 1672 (thedotted links) from network segment #2 1602 via POP #2 1622 and link 1640(the other 50% of the overall traffic, as shown at 1642). Consequently,central server Y receives 100% of the transaction traffic generated byall the GM terminals from network segment #1 1601 and network segment #21602. Communication link 1648 enables the servers 1624, 1626 to beresynchronized in accordance with the model shown in FIG. 15 should aterminal or a plurality of terminals detect missing serveracknowledgments.

In a geographically dispersed network of gaming machines, there isusually a plurality of POPs that are sufficiently separated such thatthe failure of a network path via a POP does not affect the network pathvia another POP. Moreover, one or several of the sites may be located ina different country. It will be appreciated by those of skill in the artthat the network architecture shown in FIG. 16 may be readily scaled upto N-servers/N-transactions.

FIG. 17 shows the network 1600 of FIG. 16 in the case of a loadfailover. Should POP #1 1620 fail, the configuration shown in FIG. 17applies. POP #1 1620 is inoperative as shown at 1621. According to anembodiment of the present invention, under predetermined instructions bythe network management unit, the entirety of the transaction trafficthat would otherwise be routed to POP #1 1620 from network segment #11601 is transferred to the other POP #2 1622, which then receives 100%of all of the transaction traffic from the terminals or gaming machinesGM in network segments 1601 and 1602. As detailed below, under such aconfiguration, each of the servers 1624 and 1626 continues to receive100% of the traffic generated by all the terminals.

Indeed, the terminals in network segment #1 1601, upon detection thatnetwork communication via POP #1 1620 is inoperative as suggested at1621, will re-establish a communication link with the network 1623 byaccessing the POP #2 1622. Consequently, 100% of the transaction trafficfrom all the terminals is routed via POP #2 1622. Central server X 1624and central server Y 1626 each receive 100% (as shown at 1638 and 1642)of the terminal transaction respectively via link 1636 and via link1640. Transaction traffic channeled to server X 1624 originates from theX transaction packets 1650, 1654, 1658, 1662, 1666 and 1670 (the solidlinks), and transaction traffic channeled to server Y 1626 originatesfrom the Y transaction packets 1652, 1656, 1660, 1664, 1668 and 1672(the dotted links).

It will be appreciated that extending the topology shown in FIG. 17 to atopology wherein a plurality of POPs are accessible by terminals isstraightforward to those of skill in the art. In that case, the networkmanagement unit would predetermine a suitable strategy for terminalswhose POP fails to call an alternate POP.

FIG. 18 is an overview of a network topology 1800 and a systemarchitecture of a universal game server 1802, according to an embodimentof the present invention. The universal game server 1802 is alsoreferred to herein as central server 1802 herein. A second centralserver or N central servers may be located at geographically distantlocations for disaster tolerance. Such second or N central servers,according to an embodiment of the present invention operatesynchronously in accordance with the synchronization principlesdescribed above, and a link between the central servers 1802 allows forresynchronization. The central servers 1802 may be located in differentstates or different countries. Operating the transactional terminals,the network and the central servers is commonly referred as “theoperations”, and the contractor that run the operations, the “theoperator”.

The central server 1802 may include three main elements; namely, (a) thetrusted transactional cache 1822, (b) the business server 1828 and (c)the logistic support server 1826. At least one of the N central serversshall have all three elements 1822, 1828 and 1826; other servers needonly include element the trusted transactional cache 1822 to providesynchronized disaster tolerance capability. A large storage capacityStorage Area Network (SAN) 1834 may also be provided. A single businessserver 1828 for the entire operations may be located at a central place,and the logistic support server 1826 for the entire operations may belocated at another central place. All three elements may be located at asame site to minimize operational costs, but this is not a technicalrequirement. The business server 1828 and the logistics support server1826 may be coupled to one another via a Local Area Network (LAN)connection 1832.

The central server 1802 may be configured to connect to a wide varietyof terminal transaction devices such PCs 1806, Mobile/Handheld PCs 1808,WAP phones 1810, Interactive TVs 1812, Lottery Terminals 1814, Retailterminals 1816, Public Kiosks 1818, and any other kinds of transactionaldevices 1820. These devices may run any type of operation systems suchas Microsoft Windows, Linux, UNIX, Macintosh, Pocket PC, Symbian,real-time kernels and custom operating systems or equivalent. Theseterminals may connect to a private or public network 1804 and mayconnect to the central server 1802 via a least two links, one link 1824that connects to the trusted transactional cache 1822 and one link 1825that connects to the logistic support server 1826.

FIG. 19 illustrates a portion 1900 of the system shown in FIG. 18, andshows the top-level architecture of the trusted transactional cache1822. The trusted transactional cache 1822 or TTC is also referred toherein as “VeriCache™”. VeriCache™ 1822 is an important part of thecentral server 1802 in that it provides fundamental services requiredfor handling game transactions; namely, data integrity, transparency,security and guaranteed response time. The combination of these fourfactors characterizes the trust in the “trusted transactional cache”1822. This trust is achieved thanks to the proprietary (necessary foraudit purposes) developed software code that is kept in its simplestpossible form. Complex third party software such as hugely complexrelational databases and web server technologies is, therefore,disfavored. For data management, for example for defining, querying andupdating the attributes of the transaction terminals (say 1 millionterminals and/or users), a simple and very efficient in-memory flatdatabase technique may advantageously be used.

It is important to note that the trusted transactional cache 1822 isindeed a “cache”. That is, the trusted transactional cache 1822 providesreal-time temporary storage for raw data and is optimized forsimplicity, data integrity, transparency, security and performance. Datamanipulation is kept to a strict minimum. The transactional information(inbound and outbound) is stored in several places using a synchronizedpersistent storage technique such that any system failure does notresult in any data loss, thus insuring what may accurately be termed“zero-loss data integrity”. Disaster tolerance with zero-loss dataintegrity in case of a major disaster striking a central center 1802 isprovided by one or more geographically remote synchronized centralservers as described previously. All the data processed by the trustedtransactional cache is made available to the business server 1828 (seealso FIG. 20) via a “one-way” link shown in FIGS. 18 and 19 at reference1930. This one-way link is conceptually represented by the diode symbol.The one-way function may be provided by proprietarily developed software(preferred as source code may be totally audited) or by a trustedfirewall configured to ensure only a one-way traffic. That is, thetrusted transactional cache 1822 is preferably configured such that itcannot receive external data via the link 1930, nor can it allow anyaccess such as remote logging.

The entire trusted transactional cache 1822 should preferably reside ina secure room fitted with transparent glass walls, video surveillance,biometric access and no permanent user console access. Control may onlybe via the user console located inside the room.

The transaction engine 1908 and the audit log 1910 are the mostsensitive and most trusted elements of the trusted transactional cache1822. The transaction engine 1908 receives an inbound transactionpayload from a remote terminal and returns an outbound transactionpayload to be forwarded back to the originating terminal. The inboundtransaction payload (or inbound game payload or inbound payload) may bedefined as the minimal set of information that is required to compose avalid game transaction, such as the terminal ID, user ID (optionally),transaction GUID (global unique identifier), terminal originating/returnaddress (optionally), the game ID, the game bet (player's selectednumbers or symbols), amount wagered (optionally), data integrity codingand a number of acknowledgement signals. Some of the data, for examplethe optional data, may be derived at the TTC 1822 through a databaselook-up, thus the payload may be kept very small. For example, aninbound payload for a comprehensive lottery slip scanned at a terminalmay be no larger than about 80 bytes. The payload as defined herecorresponds to the ISO Layer 7 application layer in that it does notcomprise any layer element for forwarding the packet through thenetwork.

Similarly, the outbound transaction payload (or outbound game payload oroutbound payload) may be defined as the minimal set of information thatis required to compose a valid game transaction return, such as thetransaction GUID, the amount won, data integrity coding and a number ofacknowledgement signals. For example, an outbound payload packet for alottery terminal may be no larger than 50 bytes. The exact compositionof the inbound and outbound payload packets vary according to the typesof game available, the regulatory requirements and the game model(deferred-draw or instant-draw, for example).

A transaction packet from a terminal is forwarded to the Front End 1918in the TTC 1822 via a network 1804 and either the synchronization engine1928 (such as shown at 1550 and 1552 in FIG. 15) or a remote accessserver (RAS) 1920. Depending on the type of network access, the link maybe through the RAS 1920 or directly to the Frond End 1918. The Front End1918 may be configured to strip the inbound packet in order to onlydeliver the inbound game payload to the transaction engine 1908. Afterprocessing the inbound payload, the transaction engine 1908 logs thedetails of the transaction including the relevant inbound payload andoutbound payload to a trusted audit log 1910. An outbound payload packetmay be returned to the originating terminal to acknowledge thesuccessful processing of the transaction by the central server 1802 onlyif a log for that transaction has been physically written in at leasttwo separate persistent storage units, to ensure disaster-proof faulttolerance. In this manner, the sudden failure of one storage element, ofother elements in the TTC 1822, or of the entire TTC system 1822 willnot compromise data integrity. In case of a disaster whereby the entireTTC 1822 cannot be returned to an operational state, a distant centralserver 1802 (in the N-transaction model) processing the same transactionwill ensure the integrity of the terminal transaction. Furthermore, thetrusted audit log 1910 is preferably controlled by a read-only mechanismwhereby the information is logged sequentially and can never be modifiednor erased.

The trusted audit log 1910 may be periodically dumped or backed-up ontowrite-once media such as CD-ROMs. Preferably, backing up the trustedaudit log 1910 is carried out using a robotic CD-ROM or DVD duplicators,such as available from Rimage Corp (www.rimage.com), for example. As aresult, no human is required to penetrate the secure room in which theTTC 1822 is located to perform multiple copies on multiple brands ofmedia and print the identification labels. Moreover, a ramp ispreferably added that guides the finished CD-ROM or DVD directly into afireproof safe. Such fireproof safe with automatic entry of the writtenCD-ROM or DVD is named a vault FIG. 19. The TTC 1822 may be coupled toor include one or several vaults 1912, 1914, 1916 whereby a given vaultor vaults may be assigned to a given game event (or events) or for agame jurisdiction (or jurisdiction). Procedures for physical access toand removal of the recorded audit logs stored in the vaults 1912, 1914,1916 are in accordance with stringent requirements as mandated byregulators.

The trusted audit log 1910 is preferably recorded in a simple dataformat that may be easily audited by the regulators or their assignsusing a third party utility. Preferably, entries in the trusted auditlog 1910 are made in the text format, whereby an auditor may examinepart or the entire log or perform a search using a standard text editoror word processor. All of the information contained in the trusted auditlog 1910 may be forwarded to the business server 1828 for automaticfinancial reconciliation or import into a relational database for datamining.

In the case wherein the central server 1802 is configured to handletransactions for games following the central instant-draw model, wherebythe outcome of a game waged by a player at a terminal is determinedimmediately and the amount won (if any) is returned in the outbound gamepayload, one or a plurality of random number generators (RNG) 1922,1924, 1926 may be added to the TTC 1822, preferably inside the secureroom. The outcome for each game transaction together with the number(s)drawn by a RNG is immediately recorded in the trusted audit log 1910following the same “fault tolerant persistent synchronized storage”principles detailed above.

FIG. 20 illustrates a portion 2000 of the system shown in FIG. 18 andillustrates the top-level architecture of the Business Server (BS) 1828.The BS 1828 receives a copy of all the information handled by the TTC1822 that is relevant to the conduct of the game business via the link1830. The information is provided asynchronously, that is, it is derivedfrom the trusted audit log 1910 in a low priority optimized format suchthat the ability of the TTC 1822 to service a very large number ofterminals is not impacted. The data transfer from the TTC 1822 may beeffectively carried out in batch, with a time delay typically notexceeding one or two minutes from the real event that caused thegeneration of the information. The received data may be imported into atraditional information-processing environment comprising commercialdatabase packages (relational, object oriented or other type) and/orother custom modules. The BS 1828 may include an activity monitoringmodule 2006 that reflects in near real-time the overall and detailedbusiness/game activity of the operations, an activity control module2008 for real-time configuration of the various game events; a gamemanagement module 2010 for configuring the various game parameters inaccordance with a strategy or regulatory requirements, analyze theperformance metrics of the system and dynamically adjust configurationwith the analysis outcome in a close loop fashion; an activity reportingmodule 2012 that mines the database and prepare graphical reports in aformat such that managers can readily understand the dynamics of theoperations in order to make the necessary optimization to maximizerevenues; and a bookkeeping/financial module 2014 that complies withapplicable tax laws and game regulations. The business server 1828 ispreferably equipped with a firewall (not shown in FIG. 20).

Standard business IT security procedures may be applied to the businessserver 1828 such that the users thereof are provided the most flexibleand most efficient tools to manipulate the data to conduct the gamebusiness. For example, standard database access control is sufficient.Should a doubt be raised regarding the veracity or integrity of a giventransaction, the CD-ROM produced by the Trusted Audit Log 1910 may beexamined for comparison and for determining the cause for thediscrepancy (procedural error, data corruption or fraud, for example).All of the LSS data (described below) may be centrally stored in theStorage Area Network 2024.

FIG. 20 illustrates a portion 2100 of the system shown in FIG. 18 andillustrates the top-level architecture of the Logistic Support Server1826. The Logistic Support Server or LSS 1826 supports all theinformation technology tasks in a large scale gaming operation that arenot handled by the trusted transaction cache 1822 and the businessserver 1828. Microsoft Encarta® Reference Library 2003 defines“Logistics” as: involving complicated organization, involving theplanning and management of any complex task. If the “Support” attributeis added to form “Logistics Support”, it is clear that the role of theLogistic Support Server 1826 is important.

According to embodiments of the present invention, the LLS 1826 may be asingle server or an aggregate of servers located at one site or acrossseveral distributed sites. The LLS 1826 preferably takes advantage ofall current Internet and Intranet technology advances such as forexample available from Microsoft, Windows 2003, Internet InformationServer IIS6, web farms load balancing, Internet Security andAcceleration (ISA) Server, SQL Server relational databases, Clustering,XML, InfoPath, SOAP, Biztalk, Office, Project, SharePoint Portal Server(collaborative technology), Exchange email server, Mobile Informationserver, SQL Server Notification Services Notification server, SystemManagement Server (SMS), Microsoft Operations Manager (MOM), VisualStudio and Software Update Services (SUS).

The business server 1828 communicates with the Internet 1804 via forexample a comprehensive firewall infrastructure such as Microsoft ISAServer enterprise security firewall (not shown in FIG. 21 forsimplicity). The LSS 1826 may comprise a web server farm 2110 containinga large number of Internet servers in order to deliver the numerousservices of the LLS 1826 to users and systems of the game operationsover the Internet and Intranet. A number of web servers may bedelivering the rich page content to the terminals while the transactionsare routed to the trusted transaction cache 1822 in accordance with theprinciples detailed above relative to FIG. 11 and below relative to FIG.22. The LSS 1826 communicates with the business server 1828 via thenetwork link 1832.

The LSS 1826 may also include a call center help desk 2112 constructedusing the latest Internet telephony, email, alert notification services,subscription notification services and collaborative technology in orderto provide automated and/or human support to users and players. Asshown, the LSS 1826 may comprise a network management unit 2114 thatmonitors and controls the entire or portion of the communication networkbetween the terminals and the central server(s) 1802. The LSS 1826 maycomprise a maintenance management unit 2116 that manages the deploymentand maintenance of all the terminals, servers and communicationequipment. In addition, service vehicle fleet management may be providedusing tracking GPS devices and web map services such as Maporama.com andMicrosoft MapPoint, for example. In addition, the LSS 1826 may include acomprehensive software development and upgrade unit 2118 for producingmanaged software code, certifying code in accordance with applicablegame regulations and downloading game code as well as system andutilities updates. Indeed, the software development and upgrade unit maybe distributed geographically in accordance with the localization of thedevelopers and various software support personnel. The LSS 1826 may alsoinclude other computer infrastructure 2120 for supporting the gameoperations that are channeled via the web server farm 2110. All of theLLS data may be centrally stored in the SAN 1834.

FIG. 22 illustrates the top-level architecture 2200 of the personalityfront end (PFE) 1918. As can be seen in FIG. 18, the PFE 1918 is part ofthe trusted transaction cache 1822. The PFE 1918 may be configured tointercept all the transaction traffic with the terminals via the network1804 through link 1824. Link 1824 may comprise a variety of networkprotocols such private 2210, X25 2222, dial-in 2230 and the Internet2242, for example. The PFE may also be configured to intercept trafficthrough links configured for other protocols, as will occur to those ofskill in this art. Each network may require a specific network interfaceequipment 2212, 2224, 2232, 2244 for allowing interfacing with the PFE1918 via a standard local area network such as Ethernet.

The role of the PFE 1918 is to extract the inbound game payload(application layer 7) from the inbound network communication packet sentby the terminal that is received at the central server 1802, and tostuff the outbound game payload (application layer 7) into the outboundnetwork communication packet sent back to the terminal. The inbound gamepayload is destined to the transaction engine 1908 and the outbound gamepayload is produced by the transaction engine 1908. Such architectureallows the transaction engine 1908 to be unaffected by the type ofcommunication protocol employed by the terminal to communicate with thecentral server 1802. If the transaction information produced andunderstood by the terminal is specific, the PFE 1918 trans-codes thedifferences such that the transaction engine 1908 may treat thetransaction information as generic. Consequently, the transaction engine1908 is kept unaware of the “personality” of the transaction terminals.Such architecture whereby the personality of the transaction terminalsfiltered is advantageous as it prevents making unnecessary changes tothe highly optimized yet simple transaction engine 1908 and the trustedaudit log 1910; consequently, maximum trust is retained.

For game transaction terminals that communicate via the private network2210, the native transactional separator or filter 2214 handles (forboth inbound as well as outbound traffic), the peculiarity of theproprietary private communication protocol. The filter 2214 is linked tothe payload separator or transcoder 2216 that adapting the transactionpacket format on the link 2220 such that it complies with the genericformat supported by the native transaction engine 1908. For gametransaction terminals that communicate via the X25 network 2222, theDial-in X25 packets separator or filter 2226 handles for both inboundand outbound traffic, the peculiarities of the X25 communicationprotocol. The filter 2226 is linked to the payload separator ortranscoder 2228 that further adapts the transaction packet format on thelink 2206 such it complies with the generic format supported by thenative transaction engine 1908. For game transaction terminals thatcommunicate via the dial-in network 2230, the dial-in UDP packetsseparator or filter 2234 handle, for both inbound and outbound traffic,the peculiarity of the dial-in communication protocol. Here, it isassumed that the protocol used is the UDP protocol, although otherprotocols may be implemented. The filter 2234 is linked to the payloadseparator or transcoder 2238 that further adapts the transaction packetformat on the link 2240 such that it complies with the generic formatsupported by the native transaction engine 1908. For game transactionterminals that communicate via the Internet 2242, the Internet UDPpackets separator or filter 2246 the peculiarity of the Internetcommunication protocol for both inbound and outbound traffic. Here, itis also assumed that the protocol used is the UDP protocol, althoughother protocols may be utilized. The filter 2246 is linked to thepayload separator or transcoder 2248 that further adapts the transactionpacket format on the link 2250 such that it complies with the genericformat supported by the native transaction engine 1908.

The array of filters and transcoders existing in the PFE 1918constitutes a formidable firewall; no unidentified or unauthorizedpacket may transit inbound past the PFE 1918. Indeed, sophisticatedintrusion analysis techniques (including forwarding of the traffic to anoff-site security specialist such as counterpane.com) may be employed totrack down the origin of any anomaly or fraud.

The N-Transaction/N-Server model described herein is well adapted to thedeferred-draw as well as to the immediate-draw gaming model.Deferred-draw refers to games whereby the player wager is placed at agiven instant in time, and the draw occurs at a later point in time.Traditional slip-scan lottery and sport betting (where legal) areexamples of deferred-draw whereby the player buys his wager several daysbefore the draw or the event that determines the outcome; the draw orevent may be shown life on TV. Disaster tolerance for differed-draw isessential so as not to loose the record of the player's wager to allowthe player to claim or verify winnings. This is especially important injurisdictions having regulations that mandate on-line storage oftransactions for 6 or even 12 months. The N-Transaction/N-Server modelis ideally adapted in the case of a lottery run in a developing countrywhereby the network infrastructure, power infrastructure or politicalmaneuvers is unpredictable; having a remote transaction server inanother stable country avoids the risk of compromising the dataintegrity of the gaming system.

In the case of the immediate-draw gaming model, the embodiments of thepresent invention may be configured under the control of the networkmanagement unit 2114 to simplify the network traffic. With theimmediate-draw model whereby the outcome is determined immediately(e.g., using RNG at the central server, or using a RNG locally at thetransaction terminal as is the case with casino gaming machines) beforethe transaction receipt is returned to the user/player at the terminal,there is no requirement to safely keep historical transaction data foran extended period of time. The players know immediately (withinseconds) whether they have won or lost. Therefore, for immediate-draw,geographically dispersed load balancing present a simplifiedconfiguration alternative to the N-Transaction/N-Server model.

FIG. 23 at 2300 illustrates a two-site geographically dispersedload-balancing configuration of an embodiment of the present invention,assuming here that the network 2322 is the Internet. The sameconfiguration would be applicable to non-Internet networks. In theconfiguration, two geographically separated trusted transactional cachesTTC-A 2344 and TTC-B 2348 are connected to the Internet 2322 viarespectively link 2346 and link 2350. TTC-A 2344 comprises a randomnumber generator RNG-A 2362 that determines the instant draw for thisTTC, and TTC-B 2348 comprises a random number generator RNG-B 2366 thatdetermines the instant game draw for this TTC. Outcome Engine 2364computes the outcome of the game transactions for terminals (e.g.,gaming machines (GM) 2302, 2304, 2306, 2308, 2310, 2312, 2314, 2316,2318 and 2320) connected to TTC-A 2344 and Outcome Engine 2368 computesthe outcome of the game transactions for terminals connected to TTC-B2348.

In the diagram, the Internet 2322 assumes multiple POPs (Points OfPresence) 2358 that may be accessible by the terminals for optimalnetwork resilience or spread of data traffic under the instructions setby the Network Management unit 2114. The terminals 2302, 2304, 2306,2308, 2310, 2312, 2314, 2316, 2318 and 2320 are configured to send onetransaction to a selected TTC, such as TTC-A 2344 or TC-B 2348. In theexemplary case illustrated in FIG. 23, terminals 2302, 2306, 2310, 2314and 2318 communicate with TTC-A 2344 via links 2324, 2328, 2332 2336 and2340, respectively (the black links), and terminals 2304, 2308, 2312,2316 and 2320 communicate with TTC-B 2348 via links 2326, 2330, 2334,2338 and 2342, respectively (the white links). In the illustrative caseof FIG. 23, therefore, 50% of the terminals communicate with TTC-A 2344and 50% of the terminals communicate with TTC-B 2348. A singletransaction to only one predetermined TTC 2344, 2348 is used.Consequently, each TTC 2344, 2348 independently handles 50% of thetransaction traffic. Accordingly, TTC-A 2344 handles 50% of the trafficas shown at 2352 via link 2346 and TTC-B 2348 handles 50% of the trafficas shown at 2354 via link 2350. The business server 1828 may retrievethe transaction logs of both TTCs 2344 and 2348; therefore, the entiregame business may be managed. One of the TTCs may be located in adifferent country. It is to be noted that a unique national accessnumber may be called that will establish a link via an availableoperative POP, and transparently load balance regional data traffic inthe communication network.

FIG. 24 at 2400 illustrates the two-site geographically dispersedload-balancing configuration of FIG. 23 and illustrates the failover inthe case wherein one of the TTCs becomes inoperative or unreachable(thus 0% of the traffic is carried on link 2350, as indicated at 2454).In this illustrative failure scenario, the terminals that initiallyattempted to connect to the failed TTC-B 2348 re-attempt connection tothe other remaining operational TTC-A 2344 via available operationalPOPs. Consequently, the entire 100% (as indicated at 2452) transactiontraffic is forwarded via link 2346 via the black links 2324, 2326, 2328,2330, 2332, 2334, 2336, 2338, 2340 and 2342. As TTC-A 2344 executes theimmediate-draw thanks to RNG-A 2362 and calculates the outcome using theoutcome engine 2364, the non-accessibility to the raw transactionhistorical data does not impact the game operations for the terminalsthat were previously connected to the failed TTC-B 2348. Historicalbusiness data has been retrieved by the business server 1828 while TTC-B2348 was in operation. Therefore, only a few seconds of historical datamay be unavailable. The business server is coupled to the TTCs 2344,2348 via the links 2380 and 2382.

FIG. 25 illustrates at 2500 a three-site geographically dispersed loadbalancing, according to an embodiment of the present invention. Asshown, FIG. 25 is an extension of the two-site geographically dispersedload balancing described in FIG. 23 by the addition of TTC-C 2570. TTC-C2570 includes a RNG 2580, an outcome engine 2582 and is coupled to thebusiness server 1828 via a link 2584. Here, the transaction load isbalanced over three TTCs 2344, 2570 and 2348, each handling about 33% ofthe transactional traffic of the terminals 2302, 2304, 2306, 2308, 2310,2312, 2314, 2316, 2318 and 2320, as shown at 2552, 2574 and 2554. Asshown, TTC-A 2344 handles the transactional traffic routed over theblack links 2524, 2530, 2536 and 2542, TTC-B 2548 handles thetransactional traffic routed over the white links 2526, 2532 and 2538and TTC-C 2370 handles the operational traffic routed over the thinlinks 2528, 2534 and 2540. One or more of the TTCs may be geographicallydispersed, such as located in different areas, states or countries, forexample.

FIG. 26 illustrates at 2500 the three-site geographically dispersedload-balancing model shown in FIG. 25 and illustrates the failover whenone of the TTCs of the system is inoperative or otherwise unreachable.For example, when TTC-C 2570 is unreachable or inoperative, theterminals previously connected to TTC-C will attempt to contact analternative TTC (TTC-A 2344 or TTC-B 2348 in this case) in accordancewith a predetermined connection contingency strategy defined by thenetwork management unit. Here, the failover strategy for one failed TTCresults in the two other TTCs 2344, 2348 each taking 50% of thetransaction traffic load as shown at 2652 and 2654 while the trafficload for TTC-C 2570 is reduced to zero, as shown at 2674. Should asecond TTC also fail, the remaining TTC will take 100% of the load asdescribed relative FIG. 24. It will be appreciated by those of ordinaryskill in the art that extension to a N-Sites geographically dispersedload balancing topology is straightforward.

Random Game Number Generation

The purpose of random game number generation is to produce unpredictableand unrepeatable game numbers (or symbols), which are in turn applied toa software game outcome module that determines the amount won (or lost)in accordance with applicable game regulation and a pay table. Theamount won (or lost) is called the game outcome; however, the gameoutcome may also refer to simply the random game numbers (or symbols).Hereunder, we refer to game outcome for either case.

Good random number generation is vital for producing game outcome. Theserandom numbers are typically provided by special algorithms calledpseudo random number generators (PRNGs) in software or specializedhardware random number generators (RNGs): Pseudo random numbergenerators (PRNGs) are software algorithms that take a random seed andgenerate streams of random bits that are normalized to produce randomgame numbers (or symbols). Generating a seed that cannot be predicted orrepeated is especially important in gaming. There are a number ofsources for unrepeatable seeds. The best source may be a hardware noisegenerator. One such implementation interfaces is with IntelCorporation's Random Number Generator. Other seed-gathering methodsinvolve tracking mouse movement or timing keystrokes, system time, orprocessor-elapsed time. There may be other schemes that do not depend onsomeone entering a value from the keyboard.

Once the PRNG is seeded, it can produce a sequence of random bits orbytes; these bytes are “more random” and are generated more quickly thanthe seed, typically hundred thousand times faster than a hardware randomnumber generator.

For example, the RSA Crypto-C software security componenthttp://www.rsasecurity.com/products/bsafe/crptoc.html includes PRNGsthat are designed to ensure good algorithmic properties.

The hardware-based Intel Random Number Generator included in the Intel®8XX series of PC motherboard chipsets is a good option that enables gameapplication to get the high-quality, high-entropy bits that are needed.Information on Intel RNG may be found athttp://www.intel.com/design/security/rng/mgppr.htm.

The Intel Random Number Generator is a dedicated hardware component thatharnesses thermal noise to generate random and non-deterministic values.The generator is free running, accumulating random bits of data until a32-bit buffer is filled. In addition, the bits supplied to theapplication have been mixed with a SHA1 hash function for added securityunder extreme conditions of voltage and temperature. The bits the IntelRNG supplies have been whitened by the hardware; that is, apost-processing algorithm has been applied to reduce patterns in thehardware bits and make them less predictable. The advantage ofperforming whitening in software as well as hardware is that an attackermust modify the hardware and the software to make the Hardware RNG leaksecret information.

The Intel RNG generates the seed bits needed to produce high qualitynon-predictable game outcomes. In a few milliseconds, the Intel RNG canproduce all the random bits needed to seed a game application. This issignificantly faster than the software mechanisms for gatheringunpredictable bits. Software mechanisms can take as long as ten secondsto gather a seed and often require user input (for example, via themouse or keyboard).

The present universal game RNG, according to an embodiment of thepresent invention may be configured to interface with a hardware randomnumber generator, to seed a PRNG, to record a trusted log and to produceon-demand random game numbers at a significantly high rate.

FIG. 27 illustrates the universal game RNG 2700 configured for gamingapplications, according to an embodiment of the present invention. Theuniversal RNG 2702 comprises both hardware and software components. Thehardware component may includes a hardware-based RNG 2704 such as, forexample, the Intel®82802 firmware hub (in fact, random number generationis one of the functions of the Intel®82802). Alternatively, thehardware-based RNG may be a function directly that may be directlyintegrated into future generation secure processors from, for example,Intel®and AMD®, or other motherboard chipsets as required for compliancewith (for example) Microsoft Next-Generation Secure Computing Base(NGSCB), formerly referred under the code name “Palladium”.Alternatively still, the hardware RNG of the present embodiment may beor include any other type of solid state device embedded on themotherboard, mounted on the motherboard, plugged into the motherboard orinserted into a slot or interface, including a secure smart card orsimilar secure smart devices. The hardware RNG may also be aquantum-effect RNG interfaced to the motherboard, for example.

The hardware RNG 2704 may be controlled by a specific software driver2708 such as the Intel Security Driver, for example, in order tosecurely capture random binary seeds 2706 generated by the hardware RNG2704. These captured seeds may then be securely delivered by thesecurity driver 2708 as shown at 2710 to an application level such as anIntel Interface software module 2712, for example. The rate of seeddelivery may be controlled by a seed timer 2714. For example, seeds may64 bytes long, and the seed rate may be configurable from 1 to 100 persecond. Preferably, seeds may be generated continuously, even when thereis no demand for the seeds at the interface 2732.

A pseudo-random number generator 2720 such as, for example, the RSACrypto-C RNG component is therefore, seeded by truly random seeds 2716produced at a predetermined rate under the control of the seed timer2714. A trusted log 2718 may log securely the random seeds 2716, forsubsequent audit.

High quality random binary numbers 2722 may now be produced at a veryhigh rate. A Game Result Assembler software module 2724 converts therandom binary numbers into “ranging” random numbers, that is, randomdecimal numbers ranging between two predetermined values such as 1 and80 for keno games, without introducing unacceptable coloration, that is,output random numbers no longer having a white distribution because ofthe unused numbers (dropped numbers). For example, for generating randomnumbers within an exemplary range of 1 to 80, an 8-bit random blobranging 0 to 255 is used wherein number 0 and numbers 81 to 255 arethrown away, which process may introduce distortions in the randomdistribution. Appropriate techniques are applied to minimize coloration.The “ranging” random numbers are commonly named and referred to as thegame numbers. For games using symbols, a mapping of the ranging randomnumbers to a predetermined set of symbols may simply be carried out.

The Game Result Assembler software module 2724 also responds to demandsmade at 2732 by the client gaming application, that is, game randomnumbers may be produced “on order” for each client application. Theorder may include the combination of random ranging game numbersrequired for a given game draw.

A very fast trusted log 2728 may securely log the high rate randomnumbers 2726 for subsequent audit. According to an embodiment of thepresent invention, the trusted log 2728 need not continuously record thehigh-rate random numbers generated by the pseudo random generator 2720,as these random numbers may be reproduced by retrieving the input randomseeds 27216 (which are written to the trusted log 2718 at a lower ratethan random numbers would be written to the trusted log 2728) from thetrusted log 2718 and feeding them back to the pseudo random generator2720.

A secure interface 2730 module may provide the necessary level ofsecurity when delivering the random game numbers to client applications.Typically greater than 200,000 numbers per second are generated on a 750MHz single processor Pentium-class machine. This high rate enables thedelivery of unique game random numbers for each individual game playedon the gaming machines, which offers a substantial improvement comparedto conventional batch RNG processes such as described in, for example,U.S. Pat. No. 6,280,328 entitled “Cashless Computerized Video GameSystem and Method” and assigned to Oneida Indian Nations.

Advantageously, the present universal game RNG may be incorporated intoa central server system described herein and/or into each gaming machinedescribed herein. In the case wherein the universal game RNG isincorporated into a central server, the universal game RNG may beincluded within a PC based workstation, server or motherboard comprisingthe necessary hardware-based RNG (or equivalent hardware RNG integratedinto future generation secure processors such as from Intel and AMD, orother motherboard chipsets as required for compliance with MicrosoftNext-Generation Secure Computing Base (NGSCB), or other standard) andthe other associated software modules as detailed in FIG. 27. Theuniversal game RNG may communicate with the other elements of thepresent trusted transactional cache, as shown in FIG. 19. There may beseveral universal gaming RNGs, as suggested by reference numerals 1922,1924 and 1926.

In the case wherein the present RNG is integration into each gamingmachine, the motherboard of the computer controlling the gaming machinemay advantageously be a PC motherboard fitted with a Intel 82802firmware hub providing hardware RNG or equivalent hardware RNGintegrated into future generation secure processors such as from Intel®and AMD®, or other motherboard chipsets as required for compliance withMicrosoft Next Generation Secure Computing Base (NGSCB) or otherstandard.

Advantageously both the server(s) and gaming machines may make use ofthe same hardware RNG device such that both types universal RNGs areidentical (software is identical). In one case, the present universalgame RNG may be configured to produce hundreds of thousands of randomgame numbers per second, and in the other case only one game randomnumber every few seconds. Consequently, the trust associated with thegame RNG in the gaming machine that may deliver top winnings of $100 isthe same as the trust associated with the game RNG in the central serverthat may deliver top winnings of $100 million, the later being subjectedto intense quality monitoring and security audits. Consequently, again,an estate of 10,000 gaming machines each having a local universal RNGmay have the same trust as an estate of 10,000 gaming machine whereinthe universal RNG is located at the central site.

FIG. 28 illustrates at 2800 the localized and/or centralized uses of thepresent universal RNG. Universal game RNGs such as shown and describedrelative to FIG. 27 may be incorporated within the gaming machines 2810,2814, 2818 and 2822, as shown at 2808, 2812, 2816 and 2820. TheUniversal Game RNGs 2808, 2812, 2816 and 2820 are preferably identical,or at least using a compatible hardware random number generators andassociated hardware interface software, such that they may be consideredfunctionally identical. Alternatively, or in addition to the UniversalGame RNGs 2808, 2812, 2816 and 2820 incorporated within the gamingmachines, one or more Universal Game RNG may be incorporated within thecentral server system 2802 to provide unique random numbers to each ofthe gaming machines.

The use of the localized game RNG (i.e., within the gaming machines) orof the centralized game RNG (i.e., within a central game server system)is dictated essentially by applicable game regulations. Considering theuniversal game server and the network connected gaming machines,whenever permitted, a selected set of games may obtain random gamenumbers from the localized game RNG, and another selected set of gamesmay obtain random game numbers from the centralized game RNG. Similarly,a selected set of game terminals may obtain its random game numbers fromthe localized game RNG for all the games that it executes, and anotherselected set of game terminals may obtain its random game numbers fromthe centralized game RNG for all the games that it executes. Wheneverlocal game regulations allow some flexibility in the choice of thesource of the random numbers, the game operator may choose either acentralized source of game RNG or a localized source of game RNG, inaccordance with given strategies, policies or other considerations.

CONCLUSIONS

The present document has set forth the fundamentals of conventionalsecure on-line game transaction topology, payload protocol and audittransaction log. These fundamentals are preferably retained in any newgaming system to provide stability, performance, transparency and dataintegrity.

Disclosed herein are embodiments of a universal game server capable ofsupporting large scale game operations comprising a wide variety and avery large number of game terminals remotely geographically located(region-wide, state-wide, country-wide and worldwide). The concepts ofdisaster tolerance, either using the N-transaction model or using theN-server geographic load balancing as applied to embodiments of thepresent invention have been presented in detail, including failover andre-synchronization. The personality front end has been described thatfilters the “personality” of the terminals such that the highlyoptimized and trusted transaction engine and its trusted audit log arenot impacted, irrespective of the terminals connected thereto. Alsodisclosed herein is the topology of systems for providing games thatappear in a traditional web browser but for which the secure gametransaction commit is done by a transaction engine plug-in that sendsthe transaction to a trusted transaction cache using UDP (for example)packets. The transaction engine plug-in may also support theN-transaction model or may use the N-server geographic load balancingmodel. The role of the terminal has been highlighted (applicable also tothe web browser plug-in) and disclosed as being an active participant inthe availability of the overall game system. That is, in the case of theN-transaction model, the terminal will actively contribute to thebuilding of a synchronization log such that the failed trustedtransaction cache may be rapidly synchronized upon returning to itsoperational state.

Concerning the generation of random game outcomes, an embodiment of auniversal game RNG is presented herewith that may be used unchangedwithin the gaming machines or at the central game server. The advantageis that each gaming machine may benefit of a game RNG having the samelevel trust as the highly audited very high volume central based gameRNG, and consequently, that level of trust is inherited for theoperation of the entire estate of a very large number of geographicallyor locally distributed gaming machines having the local game RNG.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of skill in the art that anyarrangement that is calculated to achieve the same purpose may besubstituted for the specific embodiments shown. This application isintended to cover any adaptations or variations of the presentinvention.

1-32. (canceled)
 33. A game random number generator for supplying randomgame numbers to a gaming machine, comprising: at least one hardwarenumber generator configured to provide random number seeds at apredetermined rate, and at least one pseudo-random number generatorcoupled to the at least one hardware number generator, the at least onepseudo-random number generator being configured to generate the randomgame numbers from the random number seeds generated by the at least onehardware number generator.
 34. The game random number generatoraccording to claim 33, further comprising a first trusted log configuredto securely log all of random number seeds generated by the at least onehardware number generator.
 35. The game random number generatoraccording to claim 33, further comprising a second trusted logconfigured to securely log all of random game numbers generated by theat least one pseudo-random number generator.
 36. The game random numbergenerator according to claim 33, wherein the at least one pseudo-randomnumber generator is configured to supply game random numbers on demandfor each individual game draw within the gaming machine.
 37. The gamerandom number generator according to claim 33, further comprising atleast one game result assembler coupled to the at least onepseudo-random number generator, the at least one game result assemblerbeing configured to receive random game numbers produced by the at leastone pseudo-random number generator and to generate ranging random gamenumbers.
 38. The game random number generator according to claim 33,wherein the at least one hardware random number generator is one of: aRNG of Intel 8XX series of PC motherboard chipsets, the chipset beingintegrated on a motherboard of a computer within the gaming machine; aRNG of a secure smart card communicating with the computer within thegaming machine; a RNG of a secure smart device communicating with thecomputer of the gaming machine; a RNG of a processor compliant withMicrosoft Next-Generation Secure Computing Base, the processor beingintegrated on the motherboard of the computer of the gaming machine; aRNG of a motherboard chipset compliant with Microsoft Next-GenerationSecure Computing Base, the chipset being integrated on the motherboardof the computer of the gaming machine; a RNG of a security plug-indevice communicating with the computer within the gaming machine, and aRNG of an add-on card or add-on board security device communicating withthe computer within the gaming machine.
 39. A gaming system comprising:at least one gaming machine; at least one central game server coupled tothe at least one gaming machine over a network, the at least one centralgame server including: at least one hardware number generator configuredto provide random number seeds at a predetermined rate, and at least onepseudo-random number generator coupled to the at least one hardwarenumber generator, the at least one pseudo-random number generator beingconfigured to generate, on demand, the random game numbers from therandom number seeds generated by the at least one hardware numbergenerator.
 40. The gaming system according to claim 39, furthercomprising a first trusted log configured to securely log all of randomnumber seeds generated by the at least one hardware number generator.41. The gaming system according to claim 39, further comprising a secondtrusted log configured to securely log all of random game numbersgenerated by the at least one pseudo-random number generator.
 42. Thegaming system according to claim 39, wherein the at least onepseudo-random number generator is configured to supply game randomnumbers on demand for each individual game draw within the gamingmachine.
 43. The gaming system according to claim 39, further comprisingat least one game result assembler coupled to the at least onepseudo-random number generator, the at least one game result assemblerbeing configured to receive random game numbers produced by the at leastone pseudo-random number generator and to generate ranging random gamenumbers.
 44. The gaming system according to claim 39, wherein the atleast one hardware random number generator is one of: a RNG of Intel 8XXseries of PC motherboard chipsets, the chipset being integrated on amotherboard of a computer within the gaming machine; a RNG of a securesmart card communicating with the computer within the gaming machine; aRNG of a secure smart device communicating with the computer of thegaming machine; a RNG of a processor compliant with MicrosoftNext-Generation Secure Computing Base, the processor being integrated onthe motherboard of the computer of the gaming machine; a RNG of amotherboard chipset compliant with Microsoft Next-Generation SecureComputing Base, the chipset being integrated on the motherboard of thecomputer of the gaming machine; a RNG of a security plug-in devicecommunicating with the computer within the gaming machine, and a RNG ofan add-on card or add-on board security device communicating with thecomputer within the gaming machine.
 45. A gaming system comprising atleast one gaming machine, including: at least one first hardware numbergenerator configured to provide random number seeds at a predeterminedrate, and at least one first pseudo-random number generator coupled tothe at least one first hardware number generator, the at least one firstpseudo-random number generator being configured to generate, on demand,the random game numbers from the random number seeds generated by the atleast one first hardware number generator for each game draw performedat the at least one gaming machine; at least one central game servercoupled to the at least one gaming machine, the central game serverincluding: at least one second hardware number generator configured toprovide random number seeds at a predetermined rate, and at least onesecond pseudo-random number generator coupled to the at least one secondhardware number generator, the at least one second pseudo-random numbergenerator being configured to generate, on demand, the random gamenumbers from the random number seeds generated by the at least onesecond hardware number generator for each game draw performed at the atleast one gaming machine.
 46. The gaming system according to claim 45,further comprising: a first trusted log configured to securely log allof random number seeds generated by the at least one first hardwarenumber generator, and a second trusted log configured to securely logall of random number seeds generated by the at least one second hardwarenumber generator.
 47. The gaming system according to claim 45, furthercomprising: a third trusted log configured to securely log all of randomgame numbers generated by the at least one first pseudo-random numbergenerator, and a fourth trusted log configured to securely log all ofrandom game numbers generated by the at least one second pseudo-randomnumber generator.
 48. The gaming system according to claim 45, whereinfirst and second hardware random number generators are identical. 49.The gaming system according to claim 45, wherein first and second pseudorandom number generators are identical.
 50. The gaming system accordingto claim 45, wherein that at least one gaming machine is configured toselect at least one random game number for each game draw from the atleast one first pseudo-random number generator or from the secondpseudo-random number generator.
 51. A gaming system according to claim45, further comprising at least one game result assembler coupled to theat least one first pseudo-random number generator or to the at least onesecond pseudo-random number generator, the at least one game resultassembler being configured to receive random game numbers produced bythe first or second pseudo-random number generators and to generateranging random game numbers.
 52. The gaming system according to claim45, wherein the first or second hardware random number generator is oneof: a RNG of Intel 8XX series of PC motherboard chipsets, the chipsetbeing integrated on a motherboard of a computer within the gamingmachine; a RNG of a secure smart card communicating with the computerwithin the gaming machine; a RNG of a secure smart device communicatingwith the computer of the gaming machine; a RNG of a processor compliantwith Microsoft Next-Generation Secure Computing Base, the processorbeing integrated on the motherboard of the computer of the gamingmachine; a RNG of a motherboard chipset compliant with MicrosoftNext-Generation Secure Computing Base, the chipset being integrated onthe motherboard of the computer of the gaming machine; a RNG of asecurity plug-in device communicating with the computer within thegaming machine, and a RNG of an add-on card or add-on board securitydevice communicating with the computer within the gaming machine.
 53. Agaming machine configured to execute game draws whose outcome dependupon random game numbers, the gaming machine comprising: at least onehardware number generator configured to provide random number seeds at apredetermined rate, and at least one pseudo-random number generatorcoupled to the at least one hardware number generator, the at least onepseudo-random number generator being configured to generate the randomgame numbers from the random number seeds generated by the at least onehardware number generator.
 54. The gaming machine according to claim 53,further comprising a first trusted log configured to securely log all ofrandom number seeds generated by the at least one hardware numbergenerator.
 55. The gaming machine according to claim 53, furthercomprising a second trusted log configured to securely log all of randomgame numbers generated by the at least one pseudo-random numbergenerator. 56-62. (canceled)